The LatePoint calendar booking plugin contains a stored cross‑site scripting flaw that allows an unauthenticated attacker to write malicious JavaScript into the 'first_name' field. Because the input is not properly sanitized or escaped before being saved to the database and later rendered on webpages, injected scripts will automatically execute when any user loads pages that display the stored value. This can compromise user sessions, steal credentials, and potentially propagate other client‑side attacks. The weakness is a classic input validation and output encoding failure (CWE‑79).

All installations of the LatePoint – Calendar Booking Plugin for WordPress, version 5.5.0 and all earlier releases, are affected. The vulnerability exists in the core files handling activities, email templates, and customer data. No later releases have been documented in the provided data to contain a fix, so users must explicitly ensure they are running a version beyond 5.5.0.

The severity is reflected in a CVSS score of 7.2, indicating a moderate‑to‑high risk. The EPSS score is reported as not available, so no current exploitation probability can be determined. The issue is not listed in the CISA KEV catalog. Attackers can trigger the flaw by submitting a booking form or any interface that accepts a 'first_name' parameter without requiring authentication; the malicious script is stored and later served to all visitors who view the affected pages. The lack of authentication for the input path makes exploitation feasible from publicly accessible interfaces, but the impact is confined to browsers that render the stored content.